We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keytool
The keytool command provided by openjdk installations can be used with a PKCS#11 driver.
A configuration file is needed which points to the pkcs11 driver (and a name)
library=/path/to/BouncyHsm.Pkcs11Lib-x64.so name=bouncy-hsm
the command to the generate a new private key and corresponding self-signed certificate:
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg java-pkcs11.cfg -genkey -keyalg RSA -keysize 2048 -dname cn=sample -alias sample-rsa
this fails with the following error message:
[12:33:51 INF] Executing operation CreateObject. [12:33:51 ERR] Pkcs11 error during operation CreateObject with CKRV: CKR_ATTRIBUTE_VALUE_INVALID. BouncyHsm.Core.Services.Contracts.RpcPkcs11Exception: Attribute CKA_SERIAL_NUMBER is not valid X509 Name in DER encoding. ---> System.ArgumentException: failed to construct integer from byte[]: unexpected end-of-contents marker at Org.BouncyCastle.Asn1.DerInteger.GetInstance(Object obj) at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive) --- End of inner exception stack trace --- at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive) at BouncyHsm.Core.Services.Contracts.Entities.X509CertificateObject.Validate() at BouncyHsm.Core.Services.P11Handlers.CreateObjectHandler.Handle(CreateObjectRequest request, CancellationToken cancellationToken) at BouncyHsm.Core.Rpc.RequestProcessor.ProcessRequestBody[TRequest,TResponse](IServiceProvider scopeProvider, String operation, ReadOnlyMemory`1 requestBody, Func`2 nonOkResponseFactory, ILogger logger, CancellationToken cancellationToken)
The text was updated successfully, but these errors were encountered:
Thanks for reporting the bug.
I will need to replicate this. Which JDK version are you using? It is best if you write me the name of the package and the version.
Sorry, something went wrong.
#14 Improved logging - added notes of non-government attributes.
8ccb0f1
@MaxFichtelmann try this build, it also logs the value of the problem attribute. https://github.com/harrison314/BouncyHsm/actions/runs/11578823608
Edit: Try version 1.1.1 https://github.com/harrison314/BouncyHsm/releases/tag/v1.1.1 with better logging,
harrison314
No branches or pull requests
The
keytool
command provided by openjdk installations can be used with a PKCS#11 driver.A configuration file is needed which points to the pkcs11 driver (and a name)
the command to the generate a new private key and corresponding self-signed certificate:
this fails with the following error message:
The text was updated successfully, but these errors were encountered: